Node-fetch is a lightweight module that brings the window.fetch API, familiar from browsers, to Node.js environments. Versions 2.4.0 and 2.4.1 are very similar, sharing the same core dependencies and development dependencies, indicating a focus on stability and maintaining existing functionality. Both versions boast an MIT license, permitting wide usage and modification. The project is hosted on GitHub for transparency and community contribution. The author is David Frank.
The key difference lies in their release dates and potentially some minor bug fixes or performance improvements. Version 2.4.1 was released on April 27, 2019, shortly after version 2.4.0, which was released on April 26, 2019. Inspecting the code differences on GitHub might reveal the specific refinements. The unpacked size is slightly larger in 2.4.1 (152130 bytes) compared to 2.4.0 (151944 bytes), hinting at some added code, possibly related to optimizations or addressing edge cases.
For developers using node-fetch, these versions offer a consistent API for making HTTP requests. The presence of development dependencies like chai for testing and rollup for bundling suggests a well-maintained and tested library. While the differences between these two versions may be subtle, staying updated to the latest patch version (2.4.1) is generally recommended to benefit from any bug fixes or incremental improvements. Always consult the project's release notes or commit history for detailed information on changes between versions.
All the vulnerabilities related to the version 2.4.1 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.